Integrating IDM, AM, and DS

For version 5.5, we’ve improved integration between our products. It is now easier than ever to integrate ForgeRock Identity Management (IDM), ForgeRock Access Management (AM), and ForgeRock Directory Services (DS). With integration, you can configure aspects of privacy, consent, trusted devices, and more.

While you can find most of the steps in the IDM 5.5 Samples Guide, this blog collects the information you need to set up integration in one place.

This blog post will guide you through the process.

Preparing Your System

For the purpose of this blog, I’ve configured all three systems in a single Ubuntu 16.04 VM (8 GB RAM / 40GB HD / 2 CPU).

Install Java 8 on your system. I’ve installed the Ubuntu 16.04-native openjdk-8 packages. In some cases, you may have to include export JAVA_HOME=/usr in your ~/.bashrc or ~/.bash_profile files.

As AM requires fully qualified domain names (FQDNs), I’ve set up an /etc/hosts file with FQDNs for all three systems, with the following line:

192.168.0.1 AM.example.com DS.example.com IDM.example.com

(Substitute your IP address as appropriate. You may set up AM, DS, and IDM on different systems.)

If you set up AM and IDM on the same system, make sure they’re configured to connect on different ports. Both products configure default connections on ports 8080 and 8443.

Download AM, IDM, and DS versions 5.5 from backstage.forgerock.com. For organizational purposes, set them up on their own home directories:

Product

Download

Home Directory

DS

DS-5.5.0.zip

/home/ds

AM

AM-5.5.0.war

/home/am

IDM

IDM-5.5.0.zip

/home/idm

Unpack the zip files. For convenience, copy the Example.ldif file from /home/idm/openidm/samples/full-stack/data to the /home/ds directory.

Configuring ForgeRock Directory Services (DS)

To install DS, navigate to the directory where you unpacked the binary, in this case, /home/ds/opendj. In that directory, you’ll find a setup script. The following command uses that script to start DS as a directory server, with a root DN of “cn=Directory Manager”, with a host name of ds.example.com, port 1389 for LDAP communication, and 4444 for administrative connections.

Substitute the actual URL and ports for your AM and IDM deployments, where you see http://am.example.com:8080 and http://idm.example.com:9080

Configuring AM

If you’ve configured AM on this system before, delete the /home/am/openam directory.

Restart Tomcat with the startup.sh script in the aforementioned apache-tomcat-8.0.47/bin directory

Navigate to the URL for your AM deployment. In this case, call it http://am.example.com:8080/openam. You’ll create a “Custom Configuration” for OpenAM, and accept the defaults except when setting up User Data Store settings. The options in the following table are based on the previous installation of DS:

Option

Setting

Directory Name

ds.example.com

Port

1389

Root Suffix

dc=example,dc=com

Login ID

cn=Directory Manager

Password

password

When the installation process is complete, you’ll be prompted with a login screen. Log in as the amadmin administrative user with the password you set up during the configuration process. With the following action, you’ll set up an OpenID Connect/OAuth 2.0 service that you’ll configure shortly for a connection to IDM.

Select Applications -> OAuth 2.0. Choose Add Client. In the New OAuth 2.0 Client window that appears, set openidm as a Client ID, set changeme as a Client Secret, along with a Redirection URI of http://idm.example.com:9080/oauthReturn/. The scope is openid, which reflects the use of the OpenID Connect standard.

Go to the OpenID Connect tab, and enter the following information in the Post Logout Redirect URIs text box:

http://idm.example.com:9080/

http://idm.example.com:9080/admin/

Press Save Changes.

Select Services -> OAuth2 Provider -> Advanced OpenID Connect:

Scroll down and enter openidm in the “Authorized OIDC SSO Clients” text box.

Press Save Changes.

Navigate to the Consent tab.

Enable the Allow Clients to Skip Consent option.

Press Save Changes.

AM is now ready for integration.

Configuring ForgeRock Identity Management (IDM)

Now you’re ready to configure IDM, using the following steps:

For the purpose of this blog, use the following project subdirectory: /home/idm/openidm/samples/full-stack.

If you haven’t modified the deployment port for AM, modify the port for IDM. To do so, edit the boot.properties file in the full-stack/conf/boot subdirectory, and change the port property appropriate for your deployment (openidm.port.http or openidm.port.https). For this blog, I’ve changed the openidm.port.http line to:

openidm.port.http = 9080

Start IDM using the full-stack project directory:

$ cd openidm

$ ./startup.sh -p samples/full-stack

In a browser, navigate to http://idm.example.com:9080/admin

Log in as an IDM administrator:

Username: openidm-admin

Password: openidm-admin

Reconcile users from the common DS user store to IDM. Select Configure > Mappings. In the page that appears, find the mapping from System/Ldap/Account to Managed/User, and press Reconcile. That will populate the IDM Managed User store with users from the common DS user store.

Select Configure -> Authentication. Choose the ForgeRock Identity Provider option. In the window that appears, scroll down to the configuration details. Based on the instance of AM configured earlier, you’d change: